Reputation: 10390
Unauthorized Operation When Querying Event Logs
I have the following code for querying some events on a remote computer:
filter = $"*[System[(EventID='5061' or EventID='5058') and TimeCreated[timediff(@SystemTime) <= {Timespan}]]]";
EventLogSession session;
using (var pw = GetPassword())
{
session = new EventLogSession(
"PCNAME",
"DOMAIN",
"USERNAME",
pw,
SessionAuthentication.Default);
}
var query = new EventLogQuery("Security", PathType.LogName, filter)
{ Session = session };
var reader = EventLogReader(query);
When we reach the last line, EventLogReader(query) throws an error:
Attempted to perform an unauthorized operation.
Where user USERNAME is a member of the Event Log Readers group on AD in the same domain. Is there some other group that he needs to be a member of? Or is there some way of configuring the Event Log Readers group to allow certain types of access?
Upvotes: 2
Views: 1547
Answers (1)
Reputation: 10390
This was happening because the user specified in in EventLogSession did not have local admin rights on the PC being queried.
After adding "USER" as a local admin on "PCNAME", I was able to query the logs successfully.
I thought this had already been set up, but because "USER" was added as an admin to all PCs via a script, the list of computers that it applied to must have been incomplete due to a bug in that script.
Upvotes: 1
Related Questions
- Event Log SecurityException for Web Application?
- System.SecurityException error
- Event Log not creted, even with administrative privileges
- c# Reading event log of remote server
- Eventlog, impersonation and Access Denied Win32Exception
- attempted to perform an unauthorized operation in event log of remote machine
- How to read event log without administrative permissions in .NET?
- Grant my code Event Log permissions
- Read Event Log Remotely with .NET
- Windows EventLog Permissions